Businesses within and adjacent to the healthcare industry must follow strenuous controls to safeguard the class of data known as “protected health information” (PHI). Per the Health Insurance Portability and Accountability Act of 1996 (HIPAA), de-identification is one central protection element. An innovative option available to businesses that need HIPAA compliance is an approach called “safe harbor.”
Read on to learn the safe harbor provisions under HIPAA and how to implement them in your healthcare business.
Safe Harbor Provisions Under HIPAA Explained
Safe harbor in HIPAA offers a flexible approach to de-identification without relying entirely on an external expert’s evaluation. To fully understand the complexities of HIPAA’s safe harbor provisions, it’s essential to understand the immediate context of the HIPAA rule to which it pertains.
This guide will break down all you need to know on the HIPAA safe harbor provisions, including:
- An introduction to the HIPAA Privacy Rule along with its core objectives and controls
- A detailed explanation of both HIPAA de-identification methods, including safe harbor
- An overview of the other HIPAA rules and controls required for full HIPAA compliance
By the end of this blog, you will know everything you need to do to fully de-identify information per Privacy Rule standards and fully comply with HIPAA. But first, let’s define some basic terms.
Overview of HIPAA’s Purpose and Stakeholders
HIPAA’s purpose is to protect data related to patients’ medical and financial records, which could cause harm to the patients and the institutions harboring that data if it gets into the wrong hands. HIPAA exists to secure PHI across all medical, healthcare, and adjacent businesses. Therefore, all of its controls apply to doctors and hospitals, along with various other covered entities. These covered entities include:
- Healthcare providers – Doctors, psychologists, dentists, pharmacists, and individual practitioners; hospitals, nursing homes, and many other group care facilities
- Healthcare plans – Health insurance companies and health maintenance organizations (HMOs), along with company-provided and governmental health plans (Medicare, etc.)
- Health clearinghouses – Companies that process health information in non-standard health information and translate it into standard electronic or physical forms
HIPAA might still apply to you if your company is not directly involved in healthcare yet provides services to a healthcare entity. A significant impact of the “HITECH” update to HIPAA in 2009 was the extension of compliance responsibilities to the business associates of covered entities.
Context: Understanding HIPAA’s Privacy Rule
The HIPAA Privacy Rule is the first and most essential rule of the entire HIPAA framework. It was first proposed in 1999, and its first final form appeared in 2000. It sets up definitions of PHI and the covered entities detailed above. It also set the stage for, and still informs, subsequent HIPAA rules and regulations. The most recent update to the Privacy Rule in December 2020 adapts certain protections to the environment of COVID-19 and its long-term impacts.
The Privacy Rule is the basis of HIPAA. This rule and its definitions are referenced throughout the controls and protocols in all other rules. The Privacy Rule’s purpose is to define the specific conditions under which PHI may be used or disclosed, to whom, and why (or why not). Moreover, it also explains cases in which PHI must be disclosed and restrictions on permitted uses and disclosures. Let’s take a closer look at its controls.
Privacy Rule Controls for PHI Use and Disclosure
According to the US Department of Health and Human Services’s (HHS) summary of the Privacy Rule, its primary function is to define the conditions under which use or disclosure is permitted. These conditions include:
- When a use or disclosure of PHI is requested by its subject or a representative or in other cases in which the use or disclosure is to its subject or their representative.
- When the use or disclosure is critical to the treatment of patients, the billing of clients, or the general fidelity of healthcare operations of the covered entity.
- When the use or disclosure occurs after a period in which the subject or representatives have been given an opportunity to agree or object, such as notifications to family members.
- When one instance of use or disclosure is closely linked to and incidental to a permitted use or disclosure, such as in the case of an accidental overuse or over-disclosure.
- When the use or disclosure is in the public interest or for public benefit, including but not limited to law enforcement, public health concerns, governmental functions, and research.
- When the use or disclosure is of a limited data set, with identifiable information removed, for scientific research, pending agreement on safeguards, PHI is used.
Uses and disclosures that fall outside the scope of these conditions are not permitted. But uses or disclosures to the subject of PHI are required, as are disclosures to government agencies like the HHS. And all uses, except these, must be limited to the minimum necessary requirement.
De-Identification of PHI Under the Privacy Rule
The purpose of safeguarding PHI is to ensure it does not fall into the hands of a hacker or other actor who could identify a patient and target them for cybercrimes or other crimes. Per the HHS’s guidance on de-identification, all medical records, lab reports, and hospital bills fall under the category of PHI because they include a combination of identifying factors, not limited to:
- Information on, about, and otherwise related to a patient’s current, past, or (projected) future medical condition, including physical and mental disorders and indicators.
- Details of or about provisions of healthcare treatment or services rendered to a patient, including procedures undertaken, assessments, medications prescribed, therapy, etc.
- Any information regarding past, present, or future payments made for the patient’s care to the extent that these can be used to identify the patient, including the patient’s name, address, social security number, birth date, etc.
There are two possible methods for removing this information and verifying its removal for compliance with HIPAA: “expert determination” and “safe harbor.” Let’s take a look at each.
De-Identification Method #1: Expert Determination
The first method for de-identification of PHI depends upon the expertise available to a covered entity, whether internally or through a contracted third-party. According to the HHS’s de-identification guide, HIPAA provision 164.514(b)(1) specifies that de-identification can be verified if an individual with “appropriate knowledge” or experience with the statistical and scientific principles of de-identification applies appropriate procedures to the extent necessary.
This expert must determine that the PHI could not be used to identify its subject, both in its own right and in some combination with other documents that would be reasonably available to any party trying to identify the individual. Furthermore, the expert must document procedures used to make this determination. One possible procedure involves the other method, “safe harbor.”
De-Identification Method #2: “Safe Harbor” Method
The safe harbor method HIPAA prescribes is a more hands-on approach for de-identification. Per the HHS’s de-identification guide, it involves an adequate removal of 18 PHI identifiers. These are:
- The name(s) of the individual patient, their family members and employers, household members, and other close connections that could be used to identify the PHI’s subject
- Geographic location(s) of a smaller subdivision than the state the patient lives within
- Critical dates unique to the individual, except for years, including birth date, dates of admission and dismissal from a medical facility, and specific age for patients over 90
- Telephone numbers at which the patient can be reached (home, mobile, work, etc.)
- All information pertinent to the patient’s vehicle(s), including license plate numbers
- Fax numbers at which the patient may be sent documents, including home and work
- Numbers to identify the patient’s medical devices, such as model and serial numbers
- Email addresses at which the patient can be reached, including personal and work
- Web universal resource locators (URLs) unique to the patient, like personal websites
- The patient’s social security number, save for a limited portion thereof in some cases
- Any internet protocol (IP) addresses associated with the patient’s connected devices
- All numbers related to the patient’s medical records, including coding for procedures
- All biometric identifiers of the patient, including data on retina scans and fingerprints
- All numbers and coding related to the patient’s healthcare plans and beneficiaries
- Full-face photographs or images that could reasonably be used for facial recognition
- All numbers and credentials related to all of the patient’s personal and work accounts
- All other coding or numbers that are unique to the individual and could be used for the purpose of identification, except any those for covered entities’ permitted re-identification
- Numbers pertinent to the patient’s certificates, licenses, and other official documentation
Following these steps and removing all this information, covered entities satisfy HIPAA provision 164.514(b)(2) and, by extension, 164.514(a). But full HIPAA compliance comprises much more.
Other HIPAA Considerations for Covered Entities
Adoption of the safe harbor or expert determination method is far from the only requirement for compliance. Failure to implement the Privacy Rule in its entirety, along with two other rules (see below), can result in two kinds of penalties, described within the HIPAA Enforcement Rule.
The first kind of punishment for relatively benign violations comprise civil money penalties:
- Fines of $119 – $59,522 dollars for violations committed if the entity “did not know.”
- Fines of $1,191 – $59,522 dollars for violations committed with “reasonable cause.”
- Fines of $11,904 – $59,522 dollars for violations under “willful neglect,” with correction.
- Fines of $59,522 dollars for violations under “willful neglect,” without correction.
The second kind of punishment, for the most severe violations, comprise criminal penalties:
- Up to 1 year imprisonment and fines up to $50,000 dollars for intentional misuse.
- Up to 5 years imprisonment and fines up to $100,000 dollars for false pretenses.
- Up to 10 years imprisonment and fines up to $250,000 dollars for personal gain.
To avoid these, companies must abide by the HIPAA Security and Breach Notification Rules.
The Security Safeguards of the HIPAA Security Rule
The Security Rule is another major constitutive rule for HIPAA compliance. It exists to ensure the confidentiality, integrity, and availability of PHI and electronic PHI (ePHI). According to the HHS’s summary of the Security Rule, these ends are achieved through three components:
- Administrative safeguards – These controls are implemented at the level of management, including security management protocols, security personnel, information access management, workforce training and management, and regular security evaluation.
- Physical safeguards – These controls are implemented on and between physical devices and locations, including facility access control and individual workstation and device control.
- Technical safeguards – These controls are implemented across software and hardware, including access controls, audit controls, integrity controls, and transmission security controls.
The HIPAA Security Rule also requires all covered entities to establish a risk management program to monitor, analyze, and mitigate threats and vulnerabilities impacting PHI and ePHI.
The HIPAA Breach Notification Rule and Protocols
The last considerations for compliance include the provisions laid out in the HIPAA Breach Notification Rule. These are less preventive measures than actions to be taken when an attack does occur. Per the HHS’s guide, there are three forms of notice covered entities must provide:
- Individual notice – All individuals impacted by a data breach must be notified as soon as possible, and no later than 60 days following the discovery of the security breach.
- Media notice – For breaches impacting more than 500 individuals within a defined geographical location, notice must be provided to a media outlet in that location.
- Secretary notice – Breaches must be reported to the HHS Secretary, within the same 60-day timeline as individual notice, or annually if it impacts fewer than 500 people.
Across these and the other rules detailed above, HIPAA compliance can be a challenge. Fortunately, working with a qualified HIPAA advisor like RSI Security can facilitate compliance and security.
HIPAA Compliance and Cybersecurity, Simplified
To recap from above, the safe harbor provisions under HIPAA comprise one possible approach to de-identification, which is a critical element of the HIPAA Privacy Rule. Covered entities within and adjacent to the healthcare industry need to implement either safe harbor or expert determination to validate de-identification. They also need to implement all other provisions of the Security and Breach Notification Rules. Contact RSI Security today for custom-tailored solutions to HIPAA compliance for your company.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.